Once hackers gain access to an e-commerce site, they often can easily access payments data and other personal information, warns Al Pascual, director of fraud and security at Javelin Strategy & Research. That's because data on these sites is not typically segregated, based on sensitivity, he adds.

"Compromising the websites themselves is functionally equivalent to breaching a POS terminal," he says. "Criminals gain access to all of the payment data they need as soon as it is entered, potentially exposing every customer who has interacted with the merchant through that channel to subsequent fraud."

Troy Leach, CTO of the PCI Security Standards Council, says online retailers need to start investing in technologies, such as tokenization, that remove card data from their systems to prevent potential exposure.

"We can expect to see more attacks in the online space and where transactions are made without a physical card present," Leach says. "As EMV chip technology cuts down on fraud for in-store transactions, criminals will focus their attacks on emerging channels. That's why removing the incentive for criminals by using dynamic data, other forms of authentication and technologies like tokenization that make the data useless for committing fraud will be key to protecting payments."

Investigation Continues

PNI's investigation of a possible breach is continuing, Kirk Saville, a spokesman at office supply company Staples, which acquired PNI in 2014, tells Information Security Media Group. "Outside security experts are assisting in the investigation," he says.

News of a potential breach linked to PNI broke last week, when Walmart Canada and CVS Pharmacy announced that they had temporarily disabled their online and mobile photo services because of a potential breach linked to PNI.

Then, more retailers, including Rite Aid Pharmacy, Costco, Tesco and Sam's Club announced that they, too, had disabled their online and mobile photo services because of a suspected third-party breach. Only Rite Aid, however, mentioned PNI as the company to which it outsources online photo services.

So far, none of the these PNI retail customers say they have seen any evidence to indicate that card data was compromised on their sites.

Software Vulnerabilities

Vulnerabilities in the software and even HTML code used on e-commerce sites can make them susceptible to breaches. For example, Pascual points to the 2013 Adobe breach, which exposed source code for ColdFusion, a Web application development platform used by many e-commerce sites.

"Merchants with an online presence need to be prepared for different types of threats than they are used to at the POS," he says. "That being said, to gain an understanding of where they are at risk, they should consider the corollaries between different points in the respective payment channels."

While no one has linked PNI's potential breach to ColdFusion, some experts say a similar type of software vulnerability could be to blame for the potential breach at PNI. This is why stronger online authentication is so critical to help prevent unauthorized financial transactions based on payment information stolen in an e-commerce attack.

Dave Jevans, chief technology officer of online security firm Marble Security Inc., said that, in the wake of the ColdFusion vulnerability, many online retailers have been reluctant to enhance authentication.

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.